Generic manifest interface

[jackfrancis]

The use-case for this is evolving the static audit policy, implemented here:

#2189

What we want is a general "manifest" data model that we implement as a JSON object in the api model that allows custom configuration. Design TBD

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm) Kubernetes

[pidah]

just as a suggestion/middleground, would it be useful to have an option to override the audit policy file. For example we have the acs-engine config file as:

      "kubernetesConfig": {
        "networkPolicy": "calico",
        "enableRbac": true,
        "overrideAuditPolicy": {
          "url":  "https://raw.githubusercontent.com/kubernetes/website/master/docs/tasks/debug-application-cluster/audit-policy.yaml"},
        "apiServerConfig": {
          "--admission-control":  "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,AlwaysPullImages"
                  }
      }  

We can implement a generic provider that pulls these files from github (or other sources) during acs-engine deploy time. This might be useful for overriding other files like podsecuritypolicy files, encryption-config file etc or perhaps extend the scope to make it easier to place any custom file on the master/node instances. Any thoughts ? @jackfrancis @lachie83 @brendanburns @feiskyer

[pidah]

@jackfrancis hi, following up my comment in February, I just want to find out if there is a way now to override yaml files applied on a cluster e.g Pod Security Policy yaml ? Thanks 😇

[jackfrancis]

@pidah You can do this as of last week using one of the pre-existing addons.

See here:

#3840

[pidah]

@jackfrancis super ! Thanks 👍🏿

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution. Note that acs-engine is deprecated--see https://github.com/Azure/aks-engine instead.